Fast Flux refers to techniques of hiding malware delivery sites or other types of servers by cycling mappings of a domain name to different IP addresses. Using such techniques, a command and control (C2) server which controls a set of hosts as part of a botnet frequently changes the mapping of a fully qualified domain name to an IP address of one of the hosts. In this way, the C2 server can thwart attempts by network administrators to block data to and from the botnet. A Fast Flux Network (FFN) is a set of hosts and a server or a set of servers which controls the hosts using Fast Flux techniques; a domain name which resolves to IP addresses of a set of hosts of a FFN is a Fast Flux Domain Name (FFDN).
Conventional methods of ascertaining whether a domain name is a FFDN involve an external server which examines links from suspicious messages and applies fast flux metrics to a domain name (i.e., quantifies the likelihood that the domain name is a FFDN) contained in the links. Such fast flux metrics use information derived about domain names including results of DNS queries and translations of IP addresses to Autonomous System Numbers (ASNs). From the query results, the external server can deduce, for example, IP addresses to which the domain name resolve and an approximate geolocation corresponding to each IP address. For example, a fast flux metric assigns a numerical value to a domain name, which numerical value is proportional to a mean distance between geolocations derived from the domain name.
If the fast flux metric of a domain name is greater than a threshold value, the conventional methods further involve the external server identifying the domain name as a FFDN and informing a network administrator of the identification. The network administrator uses the identification of the domain name as a FFDN as a basis for preventing communications to and from web sites which use the domain name as an identifier.